2007 Follow-Up Report on the Audit of Information Technology January 2005

Transcription

1 2007 Follow-Up Report on the Audit of Information Technology January 2005 Natural Sciences & Engineering Research Council of Canada & Social Sciences & Humanities Research Council of Canada October 2007

2 Follow-up Report on the Audit of Information Technology Introduction In accordance with NSERC SSHRC s annual plan for internal audit, a follow-up audit of the 2005 Audit of Information Technology occurred. This report presents the observations and findings of the follow-up audit. Being a follow-up audit, the focus was the actions taken in response to recommendations made in Objectives and Scope The primary objective and scope of the follow-up audit were to report on the status of the approved management action plans related to the recommendations in the 2005 Audit of Information Technology. Governance was a significant issue raised in the 2005 Audit. In response, management introduced the IM/IT Bi-Council Steering Committee to oversee and provide direction to the IT function. Given the importance of this change, we took the opportunity to observe two meetings of the committee, as a means to comment on and, if appropriate, offer suggestions to improve its operations. Accordingly, the follow-up audit was completed in two phases, coinciding with two meetings of the committee. The first phase commenced in June 2007 and was completed in July 2007, focusing on the status of management responses to audit recommendations. The second phase commenced in September 2007 and was completed in October 2007, allowing us to observe a second meeting of the committee. Approach The follow-up audit was conducted in accordance with the internal auditing standards for the Government of Canada. The approach included: Reviewing the information technology audit report; Reviewing the management action plans related to the recommendations in the audit report; Developing an audit approach for these issues; Interviewing responsible managers and examining pertinent documentation related to the action plan; Observing two meetings of the NSERC - SSHRC IM/IT Bi-Council Steering Committee; Page 2

3 Interviewing or requesting input from executive members of NSERC and SSHRC and the Vice President, CASD; Conducting such tests, as necessary, to assess the effectiveness of current practices; and, Discussing preliminary audit findings, with the Corporate Internal Auditor and the responsible management. Background to the Follow-up Audit The Natural Sciences and Engineering Research Council of Canada (NSERC) and the Social Sciences and Humanities Research Council of Canada (SSHRC) share administrative services through the Common Administrative Services Directorate (CASD). Included in the shared directorate is an Information Services Division (ISD). During 2004, an audit was conducted of Information Technology in the two councils. An audit report, which contained 22 recommendations for the strengthening of the information technology function, was released in January In February 2005, management provided their action plan in response to the recommendations contained in the audit report. Notice to Reader: Since the time of the audit, organizational changes occurred, such that the organization responsible for information services is now the Information Management and Technology Services Division (IMTS). While recommendations and management responses in the original audit report referred to ISD or ITSS, such references have been amended to IMTS in line with current structure. Overall Conclusions Positive progress was observed in response to all recommendations made in the 2005 Audit. As of September 2007, fifteen of the twenty-two 2005 recommendations have been implemented and seven recommendations remain in progress. Our tests confirmed the implementation of management actions, reported as completed, and the accuracy of the status reports for the seven recommendations remaining in-progress. Two recommendations have been made regarding the operations of the IM/IT Bi-Council Steering Committee, as result of the follow-up audit. 1. The Committee should re-instate semi-annual monitoring and reporting of the seven recommendations remaining in-progress, until all are resolved. 2. The Committee should review its terms of reference ensure it complements those of other committees with particular attention to approval of IT Plan and reporting and resolution of non-compliance and risk issues. No further follow-up activity is recommended for Internal Audit regarding the Audit of Information Technology. Page 3

4 Detailed Observations 1. Organizational and Operating Changes In an effort to increase efficiency, the information technology functions for both councils have been centralized under CASD. In mid-2007, an Executive Director, IMTS was hired to oversee the management of the information technology (IT) function. In addition to the organizational changes, information technology has been striving to better focus their resources by reducing and consolidating the number of projects they are committed to delivering. Approximately two years ago, annual project lists included over 200 projects. This number has been significantly reduced and is now less than half that number. To better address users needs, further consolidation of IT projects and increased use of commercial off-the-shelf products are planned. 2. Monitoring of Implementation of Recommendations For the first two years subsequent to the release of the January 2005 audit report, IMTS regularly monitored progress on the implementation of the audit recommendations. Progress updates were recorded as of June 2005, October 2005, February 2006 and October 2006, (the last update performed). 3. Accuracy of Progress Monitoring During the follow-up audit, documentary evidence was requested to support the progress reported for each recommendation in the October 2006 progress update. The reporting of progress was found to be accurate. The evidence obtained, relative to the current status of the implementation of each recommendation, supported the information provided in the October 2006 progress update. 4. Current Status of Recommendations As of September 2007, fifteen of the twenty-two 2005 recommendations have been implemented and seven recommendations remain in progress. Some of the key initiatives which have been implemented include: The establishment of the IM/IT Bi-Council Steering Committee; The production of a multi-year Bi-Council technological vision; The development of a comprehensive Threat and Risk Assessment of the IT infrastructure environment; The implementation of a template which requires the completion of Threat and Risk Assessments for each new system initiative; and, Page 4

5 The completion of a TBS required, Management of IT Security (MITS) compliance assessment. Appendix A provides detailed information on the in-progress audit recommendations. 5. Governance and Risk Management At the current time, governance structures at NSERC-SSHRC are under review. This review of governance structures may present opportunities to increase the effectiveness of information technology through strengthened oversight arrangements. It was noted that several committees appear to have an advisory capacity with regards to information technology. What was not as clear is how the information technology plans and objectives directly relate to the NSERC- SSHRC multi-year strategic plans and who approves the information technology project plan. Another element which was not clearly enunciated in committee terms of reference was who is accountable for monitoring and managing IT risks in the Councils. With regards to risk, two core information technology documents were completed in 2007, a comprehensive Threat and Risk Assessment of Information Technology Infrastructure and a required Treasury Board Secretariat questionnaire on the Management of IT Security (this information is used by TBS to monitor departmental and government-wide compliance with government IT security requirements). The Threat and Risk Assessment identified six areas of medium risk to be addressed and the Management of IT Security (MITS) questionnaire identified fourteen points of non-compliance within the Councils. 6. Cost /Benefit Assessments During the conduct of the follow-up audit, full costs for information technology projects were not available. IMTS is working towards this goal by assigning salary and other than salary costs to IT projects. Page 5

6 Follow-up Audit Recommendations & Management Responses 1. Continued Monitoring It is recommended that the IM/IT Bi-Council Steering Committee re-instate semi-annual monitoring and reporting of the seven recommendations, which are still in progress until all are resolved. Management Response Response: Action: Management agrees with recommendations as stated. The IM/IT Bi-Council Steering Committee will add an IT Audit Update item to its agenda for the first and third meeting of each fiscal year until all recommendations are completely resolved. 2. Governance and Risk Management In conjunction with the internal reviews of governance, it is recommended that the IM/IT Bi- Council Steering Committee review the various committees terms of reference to ensure that respective roles relative to information technology of the various executive and management committees are clear and complement those of the IM/IT Bi-Council Steering Committee, particularly as they relate to: A. Approving the IT Plan and its revision (the list of projects that IT resources can be devoted to and the process to be followed to add or remove projects). B. Identifying and agreeing on which committee(s) is to be informed of the existence and disposition of non-compliance and risk issues. Management Response Response: Action A: Action B: Management agrees with recommendations as stated. The IM/IT Bi-Council Steering Committee will ensure that the responsibility and accountability for approving and maintaining the annual IT Plan is appropriately referenced within its Terms of Reference. The IM/IT Bi-Council Steering Committee will ensure that the responsibility and accountability for addressing IT non-compliance and risk issues are communicated to and acted upon by the appropriate committee(s) subsequent to the completion of the internal reviews of governance. Page 6

7 ORIGINAL RECOMMENDATIONS IT Policies In collaboration with the Administration Division, IMTS should identify the IT areas to be covered by IT policies, assign a priority and a development schedule to each new policy, develop each one according to the established timeline, present them to the IM/IT steering committee for approval, and develop a roll out strategy to cover the communication to staff and posting on the Intranet Service Level Agreements IMTS should review its SLA (Service Level Agreement) and identify performance targets for Network Administration, System Development, Helpdesk Services, Internet and Intranet. These performance targets need to be negotiated with the clients, included in a revised SLA, monitored for compliance, reported on a regular basis, and communicated to the IT Steering Committee. Appendix A FOLLOW-UP AUDIT Information on In-Progress Recommendations STATUS OF IN-PROGRESS RECOMMENDATIONS As of October 2005, IMTS had established an ongoing process for identifying and documenting new IT policies which included: Identifying new IT policy requirements at the IMTS Managers annual planning retreat; In collaboration with the Administration Division, identifying potential overlap between IT and Administration policies, assigning priorities, preparing development schedules and documenting the policies; and Developing a rollout strategy. At that time, the need for an Information Management Policy, requiring collaboration between IT and Administration was been identified. Prior to the creation of the IM/IT Steering Committee, there did not appear to be a governance body in the Bi-Council with a mandate to review and approve IM/IT polices for NSERC-SSHRC. However, a committee governance review is currently underway within both Councils. The results of these reviews are expected to set clear roles and responsibilities that will account for the IM/IT related policy review and approvals. IMTS indicate that their existing Service Level Agreement (SLA) has required updating since They are in the process of subdividing this generic agreement into more specific service SLA's. Throughout IMTS plan to create 2 new specific SLA's - one for Corporate Application Support services, and another for Electronic Business Solution Development services. The existing SLA would then be updated to remove reference to those services that will have their own more specific client SLA. An IMTS Corporate System Development SLA was drafted in July 2007 and IMTS plans to complete both new SLA s by the end of 07/08. In the interim, the ebusiness Support for External Clients document, while not a formal SLA, does serve as a service commitment by the On-line Service Helpdesk to the external user community. This document will be rolled into the Electronic Business Solution Development services SLA. Page 7

8 ORIGINAL RECOMMENDATIONS Tracking Incidents and Requests IMTS should investigate the advantages of endorsing a more comprehensive incident tracking system and maintaining a single database for all service requests. Appendix A FOLLOW-UP AUDIT Information on In-Progress Recommendations STATUS OF IN-PROGRESS RECOMMENDATIONS This project is to provide a common, single ITIL (Information Technology Infrastructure Library) compliant tool to assist in performing incident, problem, configuration, change, release and service level management and associated reporting. This tool will replace the in-house built inventory management system and will also be made available to divisions outside of Information Technology and Support Services Division as required, for example within Admin at their own helpdesk, at IM and for the purchasing section in Admin. This is a multi-year project with 3 phases. Phase 1 is the deployment of incident and request management and is complete. Phase 2 is the deployment of Change, Release and Configuration management modules started in September Phase 3 will complete the project with Service Level management, Problem management and basic financial management modules Escalation Process IMTS should institute a formal escalation process to solve more complex problems. This project involves defining and revising the internal processes associated with each module in order to apply industry best practices. ITIL is the IT Infrastructure Library and it is a framework of best practice approaches intended to facilitate the delivery of high quality IT services. Same as 8.2 Page 8

9 ORIGINAL RECOMMENDATIONS Help Desk Accountability IMTS should review the accountability of the IMTS internal Help Desk and the ebusiness ESD Help Desk (On-Line Service Help Desk) groups to ensure that each group becomes accountable to track and monitor the escalated problems until full resolution Monitor Performance Appendix A FOLLOW-UP AUDIT Information on In-Progress Recommendations STATUS OF IN-PROGRESS RECOMMENDATIONS Same as 8.2 IMTS should monitor the performance targets specified in the SLA Performance Reports IMTS should ensure that performance reports are produced to measure the attainments of objectives stated in the SLA. Same as 8.2 Same as 8.2 Page 9